The Information Commissioner’s Office (ICO) has issued a reprimand to an NHS trust for infringements of the UK General Data Protection Regulation (GDPR), in particular failing to respond to subject access requests (SARs) within the statutory time limit.
Under Article 12(3) of the GDPR, data controllers must respond to an SAR without undue delay and in any event within one month of receiving it. This may be extended to three months if necessary, taking into account the number of requests and their complexity. In the event of an extension, the data controller must inform the data subject within one month of receipt of the SAR, explaining the reasons for the delay.
Following an investigation, the ICO found that, from 1 August 2022 to 1 July 2023, the trust had only responded to 59 per cent of SARs within the statutory time limit. The ICO noted that the trust still had a backlog of SARs and highlighted inadequacies in the processes for handling them, such as that until January 2021 they were dealt with in alphabetical rather than date order. Due to the volume of SARs received, the trust automatically applied extensions to all of them, regardless of complexity, without informing data subjects.
After considering the circumstances of the case, including remedial steps the trust had since taken, the ICO issued a reprimand. It also set out recommendations that might help the trust to rectify the infringements and ensure future compliance with the GDPR.
Guidance and resources on complying with the GDPR can be found on the ICO’s website.